# Vulnerability Summary: Xiaopi Web Application Firewall V1.0.0 Bypass **Vulnerability Overview** * **Vulnerability Title**: Xiaopi Web Application Firewall V1.0.0 Bypass (Xiaopi Web Application Firewall V1.0.0 Bypass) * **Description**: This vulnerability exists in the official WAF firewall of Xiaopi Panel. Due to inadequate filtering of user input into WAF rules, attackers can execute malicious code by crafting specific injection payloads. Even when WAF protection is enabled, attackers can bypass WAF restrictions and perform injection attacks using particular formatting and encoding techniques. * **Submission ID**: #780839 * **Submission Date**: 2026-03-16 (Note: The date shown in the screenshot is 2026, which may be a future date or a system time error, but it is the original information from the screenshot) * **Status**: Moderated * **VulDB Entry**: Includes a link to "Xiaopi Panel 1.0.0 WAF firewall/demo.php param cross site scripting" **Affected Scope** * **Affected Product**: Xiaopi Panel (Xiaopi Panel) * **Specific Component**: Web Application Firewall (WAF) V1.0.0 * **Related File**: demo.php (inferred from the VulDB entry) **Remediation** * The page does not directly provide a specific patch or code fix. Typically, it is recommended to upgrade WAF rules or update the Xiaopi Panel version to correct the filtering logic. **POC or Exploitation Code** * The page does not directly display a specific POC code block. * A GitHub link is provided, which may contain relevant commits or code: `https://github.com/xiaopiapi/xiaopi_subm/issues/1` * The VulDB entry link points to: `Xiaopi Panel 1.0.0 WAF firewall/demo.php param cross site scripting` **Summary** This is a report on a bypass vulnerability in Xiaopi Panel's WAF version 1.0.0. Attackers can exploit this vulnerability by using specially crafted injection statements to bypass WAF filtering and execute malicious code. Currently, the page mainly displays the vulnerability description and status, without directly providing exploitation code, but offers related GitHub issue and VulDB entry links for further reference.